Patrolling Your Software as Well as Your Buildings

Posted by Francisco K. on 2/9/2017

Patrolling Your Software as Well as Your Buildings

Ensuring your software is as well-guarded as your physical assets takes some effort. Every corner of your software has to be evaluated systematically. Just as your guard tour solution ensures every corner is regularly patrolled, the OWASP (the Open Web Application Security Project) Top 20 list gives you a patrol map for your software to protect against bots. Bots -- automated swarms of computational power -- can bring your website to its knees or harvest information you'd rather save for paying customers.

OWASP lists the 20 top automated threats to companies, from OAT-001 (Carding) to OAT-020 (Account Aggregation). This work goes beyond their earlier Top 10 code vulnerabilities to focus on vulnerabilities that require automation to exploit. Simply put, it categorizes and names bad bot behavior.

So what's a security leader to do with this new (and freely available, thanks OWASP!) information?

Here are three time-based tactics for making the most of this new OWASP material:


1. Short-Term: Prioritize the List

This is the equivalent of ensuring your guards go in the right order from high-value locations to low-value locations. While not always possible in the real world, it's definitely possible when defending software assets.

While OWASP does an outstanding job making their information digestible, each company will prioritize the list differently. For example, while OAT-008 (Credential Stuffing, as in attempting re-use of valid credentials) is likely to face every company, does OAT-013 (Sniping, as in last-second auction bids) matter to your business model? With the Sectors Targeted and Parties Affected suggestions thoughtfully provided by OWASP for each vulnerability type, you can create a prioritized list of vulnerabilities that matter the most to your company.


2. Medium-Term: Talk the Talk

Every guard needs to patrol the same thorough way, covering every checkpoint. OWASP's list makes it easy for everyone touching your software to do the same for your codebase.

Having a common language of discourse is powerful across your extended security team. OWASP's taxonomy conveniently includes a thoughtful terminology for each vulnerability. Precise language reduces confusion and adds precision. Set an example by using and encouraging use of the right term at the right time. If you have a team that will see a spike in failed logins, then discuss if the issue is stolen credential reuse (OAT-008) or brute-force credential cracking (OAT-007), they're internalizing the OWASP report. If they start to call credential cracking "James Bonds," that's a bonus.

Since every "software patrol" has to be thorough, the same list should be used for developers, QA and penetration testing.


Deggy Guard Tour Solution

3. Long-Term: Automate Your Defenses

Just like automating your guard patrol helps you have robust data, historical records and confidence in real time, using the OWASP Top 20 list gives you that same data. For example, there are automated methods for detecting automated attacks. Once again, OWASP has been helpful with suggested Data Commonly Misused for each of the 20 vulnerabilities. That gives you the general idea where in your log and ops data to look for clues. Benchmarking, then selecting warning and alert thresholds for those data, can be very powerful. For example, finding your baseline failed login attempts per day gives you the ability to set an alert when those spike.

OWASP has given security teams vulnerable to bot-based attacks a head start on evaluating and preventing common attacks. With these simple tips, you can get a leg up on all 20 classes of threats endangering your company today.

Source List:

OWASP Automated Threat Handbook (https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf)